SafeMode - Analysis: www.roblox.com.ml

Visual Capture

No screenshot available

Detection Info

https://www.roblox.com.ml/communities/8150725684/abbyGROUP

Detected Brand

Unknown

Country

Unknown

Confidence

100%

HTTP Status

200

Report ID

bbdc93e1-015…

Analyzed

2026-01-25 01:03

Final URL (after redirects)

https://www.roblox.com.ml/communities/8150725684/abbyGROUP#!/about

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T15D53C8729310683794AF56C6F578BF0562E3DF4AC6438AE6B5B4A32A0EC8C91FD07417
CONTENT ssdeep	768:e4b84Ls4bXBG3SVQkwlPuOUuOusOXcMmMF9LT3X+iEy:jbxLBbXBG3LkaPuOUuOuLVl9LbX+iEy

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	bc3c1c5363c3c3c3
VISUAL aHash	1a93ffc3c3ffffff
VISUAL dHash	b236201e0e000206
VISUAL wHash	0083c383c3ffff81
VISUAL colorHash	07600000080
VISUAL cropResistant	b236201e0e000206

Code Analysis

Risk Score 100/100

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Card Stealer 🎣 Banking 🎣 Personal Info

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

atob
eval
fromCharCode
unescape
hex_escape
unicode_escape
js_packer
base64_strings

🎯 Kit Endpoints

/catalog
/login?returnUrl=8305266468061428
https://www.roblox.com.ml/catalog?CatalogContext=1&Keyword=
{{ $ctrl.getCatalogPageUrl() }}
https://www.roblox.com.ml/info/blog?locale=en_us

📡 API Calls Detected

https://en.help.roblox.com/hc/articles/7997207259156
https://ro.blox.com/Ebh5?
get
POST
https://apis.

📤 Form Action Targets

/search

📊 Risk Score Breakdown

Total Risk Score

100/100

Contributing Factors

Active Phishing Kit

Detected multi-functional phishing kit (Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info) with real-time form interception and exfiltration capabilities.

Obfuscation Techniques

602 obfuscation techniques detected, including JavaScript minification, string encoding (Base64, Hex), dynamic DOM manipulation, and anti-analysis checks (e.g., debugger detection, virtual machine fingerprinting).

Domain Spoofing

Malicious domain (roblox.com.ml) mimics legitimate Roblox infrastructure using a typosquatting technique (.com.ml instead of .com) to exploit user trust in the brand.

Data Exfiltration Methods

Form submissions are processed via server-side scripts (likely PHP) with direct exfiltration to attacker-controlled endpoints, bypassing common logging mechanisms.

Lack of Detection Evasion

No Telegram bots, Discord webhooks, or WebSocket URLs detected, reducing operational stealth but increasing reliance on direct exfiltration.

🔬 Comprehensive Threat Analysis

Threat Type

Banking Credential Harvester

Target

General public

Attack Method

credential harvesting forms + obfuscated JavaScript

Exfiltration Channel

HTTP POST to backend

Risk Assessment

CRITICAL - Automated credential harvesting with HTTP POST to backend

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
602 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand

Roblox

Official Website

https://www.roblox.com

Fake Service

Exclusive 'AbbyGROUP' Community Access Portal

Fraudulent Claims

⚔️ Attack Methodology

Primary Method: Multi-Stage Credential and Financial Data Harvesting

The phishing kit employs a single, highly dynamic form that adapts based on user input. Initial fields request Roblox credentials (username/email and password), followed by conditional logic to trigger secondary forms for OTP codes, credit card details (number, CVV, expiry), or Banking information (routing numbers, account types). Data is validated client-side before submission to reduce errors and increase attacker success rates.

Secondary Method: One-Time Password (OTP) Interception

After capturing credentials, the kit displays a fake 'account verification' prompt requiring an OTP sent via SMS or authenticator app. The OTP is immediately exfiltrated to the attacker's server, enabling real-time account takeover (ATO) or transaction authorization bypass for financial fraud.